Password- and Phraseless Acids

Document ID : KB000115253
Last Modified Date : 18/09/2018
Show Technical Document Details
Question:
We recently were attended to TSS REM(acid) PSDWDATA and TSS REM(acid) PHRASDATA commands.
We realized, that this allows to shape acids to have neither a password nor a passphrase. We'd like to ask you for help and for clearification.

Q1: Are such password- and phraseless acids "valid" acids or does tss identify them somewhere as "incomplete"?

Q2: Are such acids feasible for acids assigned to started tasks?

Q3: Are such acids feasible for batch-only acids, for which this userid is specified in the // JOB card?

At the moment, we definie acids, which nobody should be able to login with a password, with a randomized password + NOSUSPEND privilege, so that this acid can not be invalidated by a wrong-password attac. Would it be the better approach to remove password and phrase for all such acids, which would also eliminate the need for NOSUSPEND-privilege? 

Q4: Can such password- and phraseless acids be considered as "protected userids" in the sense of NOPASSWORD, NOPHRASE users defined in IBM's RACF?

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/protuser.htm 
Answer:


Q1: Are such password- and phraseless acids "valid" acids or does tss identify them somewhere as "incomplete"?

A1: Yes, we can say that these acids are "valid" and TSS is able to detect them. When such acid tries to access to the system information, TSS denies it. a TSS violation message is being issued in such case; TSS7100E 224 J= A=MYACID T=A52L901 F=TSO - Userid has no Password


Q2: Are such acids feasible for acids assigned to started tasks?

A2: Yes, such acids can be used when assigned to a STC if TSS control option(4) is set.


Q3: Are such acids feasible for batch-only acids, for which this userid is specified in the // JOB card?

A3: Yes, such acids can be used when job is being submitted by an acid having NOSUBCHK or a PER(Submitting_acid) ACID(Submittee_acid) and being specified on job card like // USER=Protected_acid


Q5: At the moment, we definie acids, which nobody should be able to login with a password, with a randomized password + NOSUSPEND privilege, so that this acid can not be invalidated by a wrong-password attac. Would it be the better approach to remove password and phrase for all such acids, which would also eliminate the need for NOSUSPEND-privilege.

A5: This can be discussed. We mean, a STC acid with a password which can be changed depending on a company security policy, "looks more" secure than one without password. On another hand a STC acid without password data cannot access to the system information (see A1). A STC acid with a password if the password is disclosed, might have access to some data it shouldn't. The NOSUSPEND attribute is not only for password violation, but also for resource violation. So, it might be necessary to keep it.


Q4: Can such password- and phraseless acids be considered as "protected userids" in the sense of NOPASSWORD, NOPHRASE users defined in IBM's RACF?

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/protuser.htm

A4: Yes, We would say yes after having read IBM documentation.